Hackers Use Alexa and Google Home to Phish Passwords

Amazon Alexa and Google Home made news a while back when it was reported that employees for both companies routinely listened to their users’ recorded audio. Additionally, those recordings were being stored and used as evidence in criminal trials. Now there’s a new concern. ARS Technica reports that one company, Secure Research Labs based in Germany, has identified gaps in Google’s and Amazon’s security-vetting processes.

SRLabs tested these processes by creating eight apps that passed the security-checking process, but were used to quietly log all conversations within earshot of the device and send a copy to a developer-designated server. What’s worse is that one of the apps was designed to give an error message saying that the app was not available in the user’s country, then go silent, giving the impression that the app was no longer working. After about a minute, the app used a voice that mimicked the ones used by Alexa and Google Home to falsely claim that a device update was available and prompted the user for the password for it to be installed, demonstrating how easy it is to obtain user credentials.

The good news is that when SRLabs notified Amazon and Google of their findings, both companies responded quickly and made changes to their security review. The bad news is that companies like this don’t know about vulnerabilities until someone reports it. Bottom line, it’s not just Amazon or Google that could be spying on you, but any of your applications that you have installed on them.

Our advice is to carefully consider how much privacy you are willing to give up for the convenience of voice-activated devices. To read more and see the videos posted by SRLabs, see the original article here.

Leave a Reply

Your email address will not be published. Required fields are marked *